trouble getting Jail with IPFW+NAT to work

Alexander Petrovsky askjuise at gmail.com
Sat Jul 31 14:30:34 UTC 2010 

Show ifconfig plz!
Show netstat -arn!

2010/7/31 Rick van der Zwet <info at rickvanderzwet.nl>

> I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)]
> and the Jails should be enabled for access to the outside world using
> NAT as I have only external IP address, The jails are connected to
> ip's configured on the lo1 interfaces.
>
> ICMP packets seems to flow out and in looking at my tcpdump, but the
> new got received by my Jail anymore. A natd setup does not work
> either. if I use the pf firewall how-ever it works like a charm.
>
> Is this setup not supported by IPFW+NAT or am I doing something wrong?
>
> /Rick
>
> I test my connection using:
>    # ping -c 1 8.8.8.8 >/dev/null ; echo $?
>    0
>    # jls | grep 13
>      13  10.0.0.2        wleiden.vanderzwet.net        /usr/jail/wleiden
>    # jexec 13 ping -c 1 10.0.0.1 > /dev/null ; echo $?
>    0
>    # jexec 13 ping 8.8.8.8
>    ^C
>    --- 8.8.8.8 ping statistics ---
>    15 packets transmitted, 0 packets received, 100.0% packet loss
>
> Tcpdump when looking at the last ping:
>    # tcpdump -i re0 ip proto 1
>    11:04:33.176393 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id
> 43582, seq 313, length 64
>    11:04:33.183051 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id
> 43582, seq 313, length 64
>    11:04:34.186391 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id
> 43582, seq 314, length 64
>    11:04:34.192663 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id
> 43582, seq 314, length 64
>
> = /etc/rc.conf relevant snippets =
> firewall_enable="YES"
> firewall_nat_enable="YES"
> firewall_script="/etc/rc.firewall.local"
>
> cloned_interfaces="lo1"
> ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0"
> ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0"
>
> gateway_enable="YES"
>
> jail_enable="YES"
> jail_wleiden_rootdir="/usr/jail/wleiden"
> jail_wleiden_hostname="wleiden.vanderzwet.net"
> jail_wleiden_ip="10.0.0.2"
> jail_wleiden_devfs_enable="YES"
> jail_wleiden_devfs_ruleset="devfsrules_jail"
>
> = relevant sysctl entries =
> net.inet.ip.forwarding: 1
> security.jail.allow_raw_sockets: 1
> net.inet.ip.fw.enable: 1
>
> = /etc/sysctl.conf =
> security.jail.allow_raw_sockets=1
>
> = Loaded modules =
> %kldstat
> Id Refs Address            Size     Name
>  1   17 0xffffffff80100000 d188c0   kernel
>  2    1 0xffffffff80e19000 20ab0    geom_mirror.ko
>  4    1 0xffffffff8102d000 7f2      accf_http.ko
>  5    1 0xffffffff8102e000 1ea      accf_data.ko
>  6    1 0xffffffff8102f000 1f3e     nullfs.ko
>  8    3 0xffffffff81022000 a1d1     ipfw.ko
>  9    1 0xffffffff81031000 14d5     ipfw_nat.ko
> 10    1 0xffffffff81033000 b39a     libalias.ko
> 11    1 0xffffffff8103f000 163f     ipdivert.ko
>
> = /etc/rc.firewall.local =
> #!/bin/sh -
> fwcmd="/sbin/ipfw"
>
> ############
> # Flush out the list before we begin.
> ${fwcmd} -f flush
>
> ${fwcmd} add 100 pass all from any to any via lo0
>
> # Also tested using the lines below
> # natd -interface re0 -verbose | tee -i /tmp/natd.log &
> # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0
> ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0
> ${fwcmd} nat 200 config if re0
>
> ${fwcmd} add 65001 allow all from any to any
>
>
> == pf setup ==
>
> = Loaded modules =
> %kldstat
> Id Refs Address            Size     Name
>  1   11 0xffffffff80100000 d188c0   kernel
>  2    1 0xffffffff80e19000 20ab0    geom_mirror.ko
>  4    1 0xffffffff8102d000 7f2      accf_http.ko
>  5    1 0xffffffff8102e000 1ea      accf_data.ko
>  6    1 0xffffffff8102f000 1f3e     nullfs.ko
> 11    1 0xffffffff81031000 2bbc1    pf.ko
>
> = /etc/pf.conf =
> nat on re0 from lo1:network to any -> (re0)
>
> ## FILTER RULES
> pass in log all keep state
> pass out log all keep state
>
> = /etc/rc.conf =
> pf_enable="YES"
>
> ... [snip: interface/route setup same as above]
> ... [snip: jail setup same as above]
>
> = Output test =
> jexec 13 ping -c 3 8.8.8.8
> PING 8.8.8.8 (8.8.8.8): 56 data bytes
> 64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=6.490 ms
> 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=6.836 ms
> 64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=6.252 ms
>
> --- 8.8.8.8 ping statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 6.252/6.526/6.836/0.240 ms
>
>
> --
> http://rickvanderzwet.nl
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
>



-- 
Петровский Александр / Alexander Petrovsky,

ICQ: 350342118
Jabber: juise at jabber.ru
Phone: +7 914 8 820 815

More information about the freebsd-jail mailing list